IT urged to work with legal departments

IT departments that try to battle computer crime independently may be undercutting their companies’ ability to fight off intruders, said a panel of industry experts.

What’s needed is a team approach, especially one that involves a corporate legal department that understands the investigative process and can assist law enforcement. That was the assessment of a panel of experts, including some current and former top U.S. computer crime investigators, at a public policy forum held last week. The forum was sponsored by the Washington D.C.-based news and information service The Bureau of National Affairs Inc.

When security problems arise at many companies, legal counsel is often left out of the loop, said Christopher Painter, deputy chief of the computer crime section at the U.S. Department of Justice. “System operators don’t think about that; that’s not their first concern,” he said.

But corporate legal departments can make all the difference in an investigation, said Christopher Bubb, the former New Jersey deputy attorney general who investigated the 1999 Melissa virus. Bubb recently left his post to become a legal counsel at Dulles, Va.-based America Online Inc.

AOL played an instrumental role in identifying the originator of the Melissa virus. When the company’s legal department contacted state computer crime officials in New Jersey, where the suspect resided, it “did so in a manner that gave law enforcement what they needed in an investigation,” Bubb said.

Bubb said there’s a “free flow of information” between the information security department and the legal staff at AOL. “We are allowed to be involved in the decision-making on the front end,” he said.

J.P. Morgan Chase & Co. in New York has dedicated teams around the globe for managing information security, said Jacinthia Lawson, a risk management officer at the company. Moreover, she said, J.P. Morgan has incident response teams that include senior managers; a fraud division; the human resources department, in case an employee is involved; auditors if there’s a breakdown in controls; and legal and corporate staff.

Many companies, however, remain reluctant to involve law enforcement in computer crime investigations for fear that the publicity will hurt their firms. Shawn Henry, who heads the computer intrusion unit at the Washington-based National Infrastructure Protection Center, said he has more than 1,200 pending investigations, and 99 per cent of the cases remain under wraps.

Companies that concentrate on remediation – closing off a vulnerability to deter an attacker – without any investigative follow-up may be hurting themselves in the long run. That’s especially the case if companies are dealing with an attack by a disgruntled employee or competitor, said Scott Charney, a partner at New York-based PricewaterhouseCoopers LLP